Store Systems Security: Preparing for the Retail System and Security Paradigm Shift

Brian Musthaler
By | September 10, 2013

Posted in: Network Security Trends

I was in an Office Depot the other day. There was one person in line at the checkout counter and another customer approaching the line. Then a sales clerk intercepted the person heading toward the line and said, “I can help you right here, sir.” The clerk had a mobile device in her hands. She swiped the customer’s credit card, had him sign a form on the tablet and told him they’d email him the receipt.

As I watched this, I knew this process would be the future of retail. Like other industries, the retail sector continues to evolve by deploying mobile technology with the intentions of delivering conveniences that result in positive customer experiences and, hopefully, more sales and referrals. But it’s not all a bed of roses.

“Customers want to be able to buy, fulfill and return anywhere. When done right, the introduction of mobile devices within the store can help enhance the customer experience but comes with expanded risks,” says Greg Buzek, President at IHL Group. Recently, IHL and McAfee released their survey assessment of retail security and the approaches used to safeguard retailer transactional systems. See Store Systems Security: Preparing for the Paradigm Shift.

To appreciate the changes that are taking place in retail, all one has to do is step into a store to see and experience this proliferation of devices, which often includes mobile point of sale (POS) and connected kiosks. Office Depot is just one of many retailers that have caught on to this trend.

According to the survey report, as a result of these changes, “two significant events have occurred: the increased sharing of information among more and more types of devices (with either LAN or wireless connections), and the need to be able to share information wirelessly within the store.” While technology changes, so does the sophistication of the cyber criminals looking to compromise retailer systems.

While PCI compliance requirements continue to evolve, the study shows that retailers have a good understanding of PCI compliance in general but have great concern over POS security and PCI compliance. Additionally, the study shows retailers struggle to provide proper security and compliance when the amount and variety of in-store systems increase.

Retailers, especially small merchants and restaurant owners, typically run razor-thin profit margins and are resource constrained when it comes to technology controls. But without adequate controls to manage store systems and with the increase in the number and variety of devices being used in this environment, retailers can expect security costs to continue to increase rapidly, according to the report.

As headlines indicate, breaches are not new to this industry, but the expanded footprint of systems like kiosks, mobile POS, and digital signage is adding complexity to the overall IT operating and control environment. The survey validates that security remains a significant concern and that retailers must provide a secure experience for their customers. History has shown that many customers abandon a merchant following a security breach.

Further according to the report, whitelisting is growing in awareness as a mitigating control with 31% of the respondents including this in their security strategy for POS systems. Whitelisting is designed to prevent malware from ever compromising and infecting a POS or other device because only the approved application is authorized to run.

For retailers that have more than $1 billion in revenue, retailers seem to be equally interested in whitelisting and anti-virus as their security approach. In those merchants with over $5 billion in revenue, the difference between the two approaches widens significantly, with more choosing a whitelist strategy compared to the anti-virus strategy. "This data clearly suggests an ongoing strategy change around securing POS systems," the report found. Whitelisting in the POS environment provides an additional benefit of being able to secure operating systems that are no longer supported by the manufacturer.

Another key finding was that confidence in a store’s digital security is based on device variability. Survey respondents believe that the more mobile device platforms there are in a store, the less secure the overall environment will be. While it is challenging to secure several different platforms, merchants need to consider using an MDM (mobile device management) system that can provide protection for heterogeneous operating systems.

Lastly, the report highlights that retailers need to take into account a store’s overall device ecosystem and develop comprehensive plans to secure these devices. Additionally, the report recommends that retailers also create adequate controls to manage store system variability. If they fail to do either of these things, security costs will quickly rise to unmanageable levels. As with all industries, security strategies need to evolve faster than the devices they safeguard.

As my grandmother always said, “An ounce of prevention is worth a pound of cure.” In today’s ever changing technology, compliance and threat landscape, staying one step ahead of risks and threats can actually lower security costs.

For additional report findings and to view a copy of the full report click here.

You May Also Be Interested In: